We are pleased to introduce Manuel José Lucena López as a new guest blogger in September. Manuel is a PhD in Information Technology from Jaén University (Spain), a recognized expert in cryptography and a regular collaborator in Kriptópolis. His book Criptografía y Seguridad en Computadores (a free electronic book under the Creative Commons license) is a classic in Spain, a reference book used in dozens of universities by thousands of students who take their first steps in this circle.

Manuel banked on Negonation from the start. In fact, he is one of the first negonators. In 2004, when the project was merely an abstract heap of ideas, we would meet on the first Saturday of each month in Madrid in a room given to us by the people at Biblioteca de las Indias Electrónicas. The collaborators came from all over Spain; Manuel came from Jaén each Saturday after a long train ride. Manuel now works in the X.509 certificate validation algorithm of our Validation Authority. A detailed mathematical task which suits him to a tee and whose result will be made into free software.

Without further ado, maestro, welcome to the blog. Post no. 50 is all yours…

Anyone who’s been to London will immediately recognize the famous warning sign in the underground stations whose aim is to remind us to mind the gap between the platform and wagons. In IT, there is something very similar: we have to manage in various planes and consider the gaps between them.

Every time we want to solve a problem using computers, we necessarily have to move in three different universes, each one with its own rules: firstly, there is the real world, the everyday world, which is where the problem usually arises; secondly, but no less important, is the abstract world, where the mathematical formalisms (usually algorithms) that help to build the necessary software lie; and finally, there is the world of electrons, cables, bits, memories, buses and other electronic components of the computer itself, which provides support to the algorithms while helping create representations of the problems and their corresponding solutions that are readable in the real world. For example, it is no use designing a very beautiful algorithm that is mathematically elegant and impeccable if the physical support where it must run – the computer – is unable to execute it in a practical way.

The digital signature is one of those applications in which those three planes interact in a more fascinating way and where, at the same time, the “gaps” between each plane are more evident. This would explain many of the difficulties experienced by several digital signature applications when reaching the general public.

When people sign a document in the traditional way, they produce a mark as a result of the interaction between the pen or fountain pen and the paper, and which responds to the biomechanical characteristics of their arm. Those characteristics can be analyzed by a graphologist in order to detect a forgery. But don’t let us fool ourselves: a signature can be forged. The thing is we know that the probability of achieving this is low, and we have learnt to accept that risk (like so many others), so we sleep at night without too many problems.

A digital signature has to be analyzed using the aforementioned three planes. In the mathematical plane, we can say that we have techniques that provide an extraordinarily high security level, so the risks at this level are practically zero. However, it gets complicated (very much so) if we want to build a “real” solution for the real world. In fact, when I digitally sign a document, in reality it is the computer that is making the calculations, and my role is limited to contributing some kind of proof (password, device, etc.) to accredit my identity. And the process of providing that proof, from the time it comes from me to the moment it is reflected in the appropriate sequence of bits inside the computer’s memory, can become a real minefield. Going through it in an absolutely secure way is practically impossible but I am convinced that, if done appropriately, the risks can be reduced to considerably lower levels than those present in the traditional signature.

The Tractis project has shown me the enormous importance of correctly minding all the gaps between the digital signature from a mathematical standpoint and the digital signature as an application for real world users. After listening to the team’s members, I realize the complexity of making things simple and useful for people. I don’t know if this adventure will be successful but I can safely say that, in pure Hollywood style, if anyone can achieve it, it is them.